Tagged Questions

An attack using every possible input to attempt to produce the correct output. Typically the method of last resort when no weakness allows the use of a more restricted input set. E.g. trying all possible (or likely) passwords, in an attempt to guess the correct one.

With arguments expressed in this answer, there is a few seconds delay between user enters an incorrect password and when he/she actually learns, that password was incorrect. This security solution is ...

I would like to ask if there are 2^1000 possibilities to choose from, how long would it take go through them all on average? (in terms of min, hours or years)
Note: This is not necessary related to ...

I'm trying to recover my router username and password without resetting the router for educational purposes. I read that Hydra can be used for "brute-forcing" http-get-form authentication that most ...

Last weekend LastPass' network was compromised and that a list of email addresses along with the hashes of the master passwords were stolen. It is being recommended that LastPass users change their ...

In Chapter 7 of Applied Cryptography, Bruce Schneier claims that, due to thermodynamic limitations, "brute-force attacks against 256-bit [symmetric] keys will be infeasible until computers are built ...

Recently I've had brute force attack attempts on some of my WordPress sites and the attackers are using actual usernames other than the default admin (which was removed).
How is it possible for them ...

In a web application, one way to protect against password guessing attacks is to lock out accounts after a set number of failed logins. This could be done on both source IP address and username.
For ...

In section 3.3 of the PCI standard, it says that when displaying PANs, limiting visibility to the first 6 and last 4 digits of the PAN is considered secure. Doing some quick math, on a 16 digit PAN, ...

Twitter released(some time ago) a new kit named Digits which allows the client to login with a phone number and an authorization code (received through sms). I find it great for the user experience ...

In this answer, it was recommended that you add random padding when hashing messages for a trusted timestamp, such as for predictions, in order to avoid dictionary and brute force attacks (at least ...

I've been doing some research on hacking recently and I found some very interesting tutorials on brute force cracking. I have some questions to ask and I'll be using Facebook as an example.
Let's say ...

I am stuck with this question, you can see it in the picture I have included below.
PARTS (a and b) I know a-z will be 26^8, A-Z will be 26^8 guesses, and 0-9 will be 10^8 guesses. But I can't relate ...

The question is a bit tricky because they don't have the same purpose but :
Do both kind of file face the same security issue concerning private key protection : password strenght ? (PBKDF2 as both ...

A 256 bit AES key is required to be broken using the brute force method on a 2GHz computer.
How long would it take to break the key in the best case and in the worst case situations? Assume that 1000 ...

Let's assume ssh key brute force is unrealistic.
It seems to me your greatest vulnerability would be someone gaining access to a client filesystem. If that's the case then key loggers and a host of ...

I'm involved in the development of a SaaS application. We host the application for different customers. A customer is a company. Each customer gets access to their hosted instance of the application ...

I am trying to penetrate a password on my own website using hydra.
Let's say that I know login and password and i just put both there like in sample below:
hydra -l admin -p password 123.123.123.123 ...

I have programmed a log in in my webpage and now I want to test it against a dictionary attack. I am using Apache and my website is not online so to access it I connect to localhost/website In hydra I ...

I'm not sure if I'm right here, but I just wanted to know if there is a tool that scans all possible filename combinations on a server and tells you what filenames the server responded to. So it would ...

When bruteforcing a captured packet containing the encrypted password, can the owner/admin of the router see each auth attempt? I'm assuming you just encrypt each passphrase in the dictionary file and ...

I wanted to use a brute force attack on hashcat but WPA/WPA2 networks are 8-64 characters long and they have multiple possibilities of a password. I was wondering if there was a way to use multiple ...

What are good ways to prevent distributed brute force attacks on my website?
I think (not sure. if someone can assure me, thanks!) my site is secure against normal brute force attacks as I am using ...